A friend brought an impending WordPress security exploit to my attention, in the form of a CookieMonster. Your data might be at risk if you administer your blog from a public Internet connection (e.g. WiFi in a café). Securing your authentication cookies with Secure Sockets Layer (SSL) provides a defensive countermeasure for your admin loggins, and WordPress.com users now have a checkbox to "Always use HTTPS when visiting administration pages". That checkbox is absent in self-hosted WordPress 2.6.2, but here's how to enable HTTPS and accelerate your admin sessions using Google Gears via Safari.
Lock up all your cookies with a secret key
You may have already defined a SECRET_KEY to secure the cookies that store information about your visitors, a feature introduced in WordPress 2.5. If you didn't do this visit key generator 1.0 and copy the output into your wp-config.php file after the opening PHP tag, so it looks something like this (don't use this one):
<?php
define('SECRET_KEY', '(X9v\'lSG|Y<CHd{.<t?Q0oT(;G8Q.kh&`7kf0V7:nu]3)KSGX-y-CF",H*7AN!#^');Before we turn on SSL we can visit key generator 1.1 and define secret keys for the secured cookie we will be using shortly. Add this output to wp-config.php below the SECRET_KEY, like so:
<?php
define('SECRET_KEY', '(X9v\'lSG|Y<CHd{.<t?Q0oT(;G8Q.kh&`7kf0V7:nu]3)KSGX-y-CF",H*7AN!#^');
define('AUTH_KEY', ')hL="XKt8S~T1iX/af=Ru5yp2Mk"d[CDAcyo? &ee4XNmQ%.U!{gO_56>06-lg_X');
define('SECURE_AUTH_KEY', 'q&E61L6#L0W=%(ll(G.Ig6QO>J9-DOl,<u+&.5uo@oF=sm0VxhO}/EkAN7Dou>\\$');
define('LOGGED_IN_KEY', '?O!gD|,y]Pe*WF0~%<%>[Om\\\'wwvRpM;xtye^TU9,O.]P9<\'kQa;: kMJzwf?hN0');Force admin sessions to use a SSL connection
Now that all our cookies are protected the next step is to force all sessions when we log on as Administrator to use SSL. Under the code block above, add the following:
define('FORCE_SSL_ADMIN', true);When you next attempt to access /wp-admin pages of your site, you'll see a dialogue like this:
Don't be alarmed; you can just click continue and you should notice two reassuring changes. The first is that your admin pages are prefixed by https:// e.g.:
And the second is the appearance of a padlock symbol in the top right of the Safari window:
Why is my certificate "invalid"?
Because you're using a self-signed SSL certificate, the authenticity of which can't be verified by the third-party signing authority. If instead of clicking Continue as above, click on Show Certificate to reveal more information:
In this example because bioneural.net is hosted on a Media Temple Gridserver, their certificate isn't a match for my domain. I could buy my own certificate (Media Temple users see here), but I'd rather not spend $US170 since I'm happy to trust the identify of my own hosting company! If you are likewise convinced that you are in fact connecting to your web host, check the box in the above window that reads:
Always trust "(your host)" when connecting to "(your domain)"
You will need to authenticate using your OS X password, after which you will no longer see the invalid certificate warning every time you log in. The padlock will still show, and your information will continue to be encrypted.
Slow going?
One possible side effect from using SSL is slow connections (it takes time to encrypt and decrypt everything). WordPress includes support for Google's browser extension called Gears, just released for Safari.
Gears is what that Turbo link in the WP admin area is all about:
It's called "Turbo" because is speeds things up; Gears downloads most of your WordPress installation files to your local disk drive for faster access. On clicking the link you'll see the following pop-up:
Clicking Install Now will take you to Google and download a disk image called gears-osx-opt.dmg. Quit Safari and run the installer, then relaunch Safari and hit the Turbo link in WP Admin once more. You will be prompted to enable Gears:
Be patient while the files from your online WordPress installation are being copied to local storage:
Once this is done Gears should be playing nicely with WordPress. Safari has a new Google Gears Settings menu option which allows you to control permissions or remove this facility from your WordPress blog or from other sites that can use Gears:
Does this secure admin from iPhone Safari?
Yes it does. You'll get a variation on the "invalid" certificate warning, followed by a padlock icon in the address bar if you click Accept:
There's no iPhone version of Gears to accelerate these sessions, however.
Delicious
Digg
Facebook
StumbleUpon
Twitter
Translate this page: DE | ES | FR
![[Photo of Bruce McKenzie]](data:image/jpeg;base64,/9j/4AAQSkZJRgABAgAAZABkAAD/7ABXRHVja3kAAQAEAAAAPAACAEIAAAAfAE8ATABZAE0AUABVAFMAIABEAEkARwBJAFQAQQBMACAAQwBBAE0ARQBSAEEAIAAgACAAIAAgACAAIAAgACAAAP/uAA5BZG9iZQBkwAAAAAH/2wCEAAYEBAQFBAYFBQYJBgUGCQsIBgYICwwKCgsKCgwQDAwMDAwMEAwODxAPDgwTExQUExMcGxsbHB8fHx8fHx8fHx8BBwcHDQwNGBAQGBoVERUaHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fH//AABEIAEAAQAMBEQACEQEDEQH/xABwAAACAgMBAQAAAAAAAAAAAAAGBwAFAwQIAQIBAQAAAAAAAAAAAAAAAAAAAAAQAAIBAwIEBAQEBwAAAAAAAAECAwARBCEFMVESBkGBEwdhoSIUccFCUrHRMsIjJAgRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AHPQeEgAsxAUC5J0AA8TQL3uz3s7W2RjBiE7llai0WkYI5t4+VAusr/obumRy0GNBCtzZAoI46XLdRoLLaP+is5ZIxuuFHJGTaUxAqQOYIP9tA3+2u6tm7jwvu9smEgFvViNutCeY/Ogt6CUEoFV70d45eJiy7JgN0ExhsuQG1y4uqX5AfUeegoEVJ27uYhaf0y1h1FT/WeZtQVrI6sVZSGHEEEEUHzQE/Znce79o79iZwDxQTFfWibRZImNjpQdZYuTDlY0WVA3VDOiyRtzVhcUGWglAhvcTGiye98+aYdRgk6Y1PAfQlj8qAlxNuwYsRYliRkdAJGsD16cSfjQDnc20YGIsbwx2E5ZXjOosB4X53oBqPatsjUhMWIA6n6QfG/E0Gj3ThtkbYZEF5MdvU+PTazfzoH/AO12YcvsXa3LdTIjRsePBif4GgK6CUCV91448Hup5mFhmpCyAeLH/GfmtBaifH23b4RlSgCNFS/EsQP0jiaAW7g37btxnhixJlkEQYnWxLHjpx0tQUO4bljYMQkmJu2iIvFiKCt2/fmzswwSrHFjyKVCkkuSRw5a0Dl9hpHHZ+RhuSWxMyRLHwHC3yoGTQSgVfvttwl2/CzVjLzwmyOOICnqI86Cr3zAz9z2zFOOQUCJIQukhJXWxOnCgEcPYA+4qIgy5ILfS7WsbWIN9dOVBk7r2TDkyDDKTHHCFkDpbQFR1c9NKDXw8TFhiT0bMlgUbQ+YsLedA1fZmJl2/dn6elHyVsbaEhTc0DFoJQV2+7RHumA2OyqzcVDcDfQg0CqO45Ox4Yws6EvmY8smOy3AACWKknW46WHCgAW7u9Tc5Z44HmdX9RSgvc3uTblyoMO9d0bnuAZ0w3glZemSQrcBQNbAigqdh3DIhzIscPfHlbpaM8BfxHKg6d9vMcQ9n7f9PSZA8jfHqc6nyoCOglBKBVe8uGmDJi70b/bTkQ5VhfpkUWRz+K6eVAqNuxMeKFpmROgsZYpiBcKdRflYUGtvW4PE6x+lFLG69Ss120+I0FBq4O2Ty5GLIzCObJlX0lFgFUMCzn9oUUHWu1LhptuNHhkHFjjVIiOSi1BtUEoJQA/us0c+xfYlOsveZ9LgKhVTr8eugRxwN0wAww1+6x/0xPo6fh+6gpTtG8ySSN9o69VyVsALHWwvQEW27dNj4K+ov+50MOu2q9WoW9A9vbOCeHtPGE5PW31WPhcX/OgK6D//2Q==)
Hi,
When I try to make my WP blog SSL secure I get the Install WP page as if I did not installed WP jet?
I added the mentioned generated define codes (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY) and added this line define('FORCE_SSL_ADMIN', true); to my wp-config.php.
I also changed my SECRET_KEY into a new one as mentiond above (or should I keep my old one?).
PS. I am not using safari but I assume this is not relevant since SSL is not limited to Safari but a Web Feature..? Correct?
Looking forward to any reply ;)
@Steven: I'm not sure why you're being taken to the install page. Did you add all 5 define(); statements consecutively and immediately following the opening PHP tag, with no extra spaces, and every line with a trailing ";"?
I didn't change my SECRET_KEY; I just left it in place and added the other definitions immediately after it. Ryan didn't say anything about deleting it; I don't think I implied that you should change it either.
Correct, it shouldn't matter that you're not using Safari; the above works fine for me in Firefox and IE too.